#!/bin/sh
#  Copyright: ©2010, Güralp Systems Ltd.
#  Author: Laurence Withers <lwithers@guralp.com>
#  License: GPLv3
#
#  Cope with the migration from Pt-users to proper shadow passwords and the
#  Busybox HTTP digest auth mechanism. Based on the original script by Bob
#  Dunlop.
#
#  Note that the first upgrade across the multi-user boundary, whether it be
#  by EAM-upgrade-to-eabi.sh (EAM) or regular upgrade (DCM, NAM, NAM64) will
#  pull down the static rsync-based /etc/passwd and /etc/group .
#

PTDIR="/var/lib/Pt-users"
SHAD="/etc/shadow"
HTTPSHAD="/etc/shadow_http"
HTDIGEST="/etc/lighttpd/htdigest.local"
GRP="/etc/group"
GRPSRC="/usr/share/perms/groups"

REALM="Platinum web authentication"



# Keep /etc/groups up-to-date.
#
#  Format of GRPSRC file is "Name Group". We don't rsync this file because
#  that would overwrite group membership of locally-configured users. We avoid
#  a .local symlink because some NSS implementations might not dereference.
#
sed -e 's/#.*//' -e '/^[ 	]*$/d' $GRPSRC | while read n g junk
do
	if [ -n "$n" -a -n "$g" ]
	then
		if grep "^${n}:" $GRP > /dev/null 2>&1
		then
			: Group in place nothing to do
		else
			echo " * Adding group $n ($g) to $GRP"
			echo "${n}:x:${g}:" >> $GRP
		fi
	fi
done



# Recreate /etc/shadow
#
#  If /etc/shadow is missing or 0 length (e.g. fresh unit, factory reset
#  or first upgradefrom Pt-users) then we must recreate it. We try to
#  read passwords from Pt-users but failing that we fall back to 'guralp3'.
#
if [ ! -s "${SHAD}" ]
then
	echo " * Creating fresh ${SHAD}"
	P=""
	if [ -e "${PTDIR}/passwords" ]
	then
		echo "  * Using old root password"
		P="`gcs_rwvar gcs_get_varcf root ${PTDIR}/passwords`"
	fi
	ROOTPW="${P:-guralp3}"
	ROOTENC="`mkpasswd -m md5 ${ROOTPW}`"

	# create new shadow file (mktemp sets correct, secure perms)
	P="`mktemp ${SHAD}.XXXXXX`"

	# populate it
	cat > "${P}" <<EOF
root:${ROOTENC}:14666:0:99999:7:::
sshd:!:14666:0:99999:7:::
nobody:!:14666:0:99999:7:::
postgres:!:14666:0:99999:7:::
daemon:!:14666:0:99999:7:::
EOF

	mv "${P}" "${SHAD}"
fi



# Recreate /etc/lighttpd/htdigest.local
#
#  If /etc/lighttpd/htdigest.local is missing or 0 length (e.g. fresh unit,
#  factory reset, upgrade from busybox httpd or upgrade from Pt-users)
#  then we must recreate it. We try to inherit old passwords but failing
#  that we fall back to 'guralp3'.
#
if [ ! -s "${HTDIGEST}" ]
then
	echo " * Creating fresh ${HTDIGEST}"
	if [ -e "${HTTPSHAD}" ]
	then
		# transform old file into new; we keep the same realm, so we can
		# simply copy the HA1 hash value
		echo "  * Using passwords from ${HTTPSHAD}"
		
		# create new HTTP shadow file (mktemp sets correct, secure perms)
		P="`mktemp ${HTTPSHAD}.XXXXXX`"
		sed -e 's/^\([^:]*\):\([^:]*\):.*$/\1:'"${REALM}"':\2/' \
			< "${HTTPSHAD}" > "${P}"
		mv "${P}" "${HTDIGEST}"
	else
		P=""
		if [ -e "${PTDIR}/passwords" ]
		then
			echo "  * Using old root password"
			P="`gcs_rwvar gcs_get_varcf root ${PTDIR}/passwords`"
		fi
		ROOTPW="${P:-guralp3}"
		ROOTENC="`echo -n "root:${REALM}:${ROOTPW}" | md5sum | cut -d' ' -f 1`"

		# create new HTTP shadow file (mktemp sets correct, secure perms)
		P="`mktemp ${HTDIGEST}.XXXXXX`"
		echo "root:${REALM}:${ROOTENC}" > "${P}"
		mv "${P}" "${HTDIGEST}"
	fi
fi



# Finally clean out deprecated files
[ -e "${HTTPSHAD}" ] && rm -f "${HTTPSHAD}"
[ -d "${PTDIR}" ] && rm -rf "${PTDIR}"